[Bro] scan.bro and missing log entries

Tyler T. Schoenke Tyler.Schoenke at colorado.edu
Thu Dec 2 14:07:09 PST 2010

On 12/02/2010 02:28 PM, Robin Sommer wrote:
> Actually it means that 100 hosts have been scanned and the *last*
> attempt triggering the alert was on port 506 (not necessarily all).
> When you were checking conn.log, did you filter for all connections
> involving that IP or just those on port 5060? 
That would explain it.  I'm guessing this machine was some sort of
software like P2P or Skype.  Is there a way to change the scanner so it
only fires alerts when 100 hosts have been scanned on a single port?  
It seems P2P type applications tend to fire a lot of scan
notifications.  The other ones I see a lot are the Apple servers.  Maybe
people connecting to them for updates?


More information about the Bro mailing list